What to do when your security is breached by someone with a badge

Patrick Lambert looks at some high-profile cases of defendants being forced to give up passwords and encryption keys. What are your options when it happens to you outside of a court of law?

As IT admins and techies most of us take security seriously. Even management in most businesses has started to realize in the last couple of years how important it is to have a secure network and locked down computers. You may even think you're completely safe from attackers with your firewall, NAT router, antivirus software, security software, and full-disk encryption on your laptop for when you're on the road. Perhaps you keep up to date with the latest exploits, and make sure to always be two steps ahead of the bad guys, making yourself to be the least desirable target of all. But then, what happens if the people trying to breach your security aren't malicious crackers or online criminals, but the law? What plans have you made for when you're confronted by someone with a badge, and they ask you to open your laptop, give them your encryption password, or show them all your documents? That's what happened to Ramona Fricosu recently when she was put in jail for refusing to unlock her laptop, and it happens very often at border checks and other controls, and various other circumstances.

In thisparticularColoradocase, prosecutors say that Fricosu is suspected of having committed real estate fraud, and that the law enforcement authorities need to have full access to her unencrypted files. The defendant refused, and the EFF is helping her by opposing the government's request. But the judge side-stepped the issue. Since the EFF claimed that turning over her password would be a 5th amendment violation, the judge forced the woman to turn over an unencrypted version of the files. Federal prosecutors said that "not allowing the government access to encrypted computers would make it impossible to prosecute crimes such as terrorism, child exploitation, and drug trafficking." Of course, the EFF attorney disagrees and claims that the government, in this case, is trying to make encryption into something only criminals would use. So far, the 10th U.S. Circuit Court of Appeals refused to take on the case until Fricosu's criminal case is concluded first. [Editor's Note: In a separate case, the 11th U.S. Circuit Court of Appeals declared in a ruling last Thursday that forcing a defendant to unencrypt their hard disks is unconstitutional.]

This isn't the first time where someone suspected to be involved in some crime has had law enforcement officials or prosecutors demand to have access to documents, computers, and any other locked digital assets. There's been no ground-breaking standard set so far, and judges have actually ruled in various ways, sometimes claiming that encrypted documents were akin to protected speech, and other times more like a locked safe, which can be broken into. When it's a clear cut case that's in front of a court, there's very little that we as technology enthusiasts can do. Whether we fight the order, and hire an attorney to defend our rights to privacy is a personal matter, and something each of us has to decide. But things become much more gray when it comes to random searches and controls, where we're not accused of a crime, and when it's far less obvious that the officers have any right to see our data.

It's a sad fact that laptop seizures at the U.S. border are becoming more common, as shown by yetanotherhighprofilecase last month. A lot of people don't realize that the Fourth Amendment does not require border agents to have a reasonable suspicion before searching laptops or other digital devices at the border, including international airports. The question that's still unclear, however, is whether or not an officer can force you to provide your encryption key. And for those of us who care about our digital security or privacy, that's the most important point. What would you do if you entered the country and a border agent asked for your password? Or what about random searches in which you aren't suspected of a crime, but they'd like to have a look, just in case? There's several ways to approach the issue.

The first way is obviously to comply. Many people think that if they don't have anything to hide, then talking to cops or other government officers and allowing them to search their car, their belonging, or their digital data, is the safest course of action, and the fastest way to be on their way. It's a personal decision, but one I tend to disagree with. For a good argument on this (although mostly about physical searches rather than digital ones), I recommend watching thisvideo. The second way is to fight it. If someone asks you what's on your laptop, your smartphone, or if they ask to take it away from you for a bit, you refuse. They may still take it, but they won't be able to read the encrypted content. Then, it's up to them to decide whether to push it or not. In many cases they won't, but if they do, then that may mean legal troubles for you.

Then there's the third option, which is to try and trick them. That's what TrueCrypt's PlausibleDeniability is all about, where you have two separate encrypted partitions inside of one. If you enter the right password, then you get access to your files. But if you enter a dummy password, you get access to a separate, hidden partition. This method has quickly become a favorite of tech savvy travelers, and will fool most officers, but not experienced investigators. While they may not be able to prove you have other hidden files, they may get suspicious. So once again, it's up to you to decide, but the important takeaway is that this decision should be made now, before you encounter these types of situations. That way, you'll be prepared, and know what to do when your security doesn't get breached by criminals, but by people with a badge.

About Patrick Lambert

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

Full Bio

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news community TideArt. He's always at the forefront of the latest happening in the world of technology. You can find
him online at http://dendory.net or on Twitter at @dendory.

I am among the many with nothing to hide, except for HIPPA-protected medical files, personal and business finances and private communications. Oh, it seems I DO have something to protect. Thanks for alerting me to the new TrueCrypt feature, it seems like a good option until our "Government" is brought under control.

Actually, the 4th Amendment does prohibit searches and seizures without probable cause by Border Patrol or Customs agents.
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
Notice it says nothing about where in the United States, or the rest of the universe for that matter, the searches or seizures are being done, or under what conditions. Technically, by the letter of the Constitution, border agents are breaking the law. It's the INTERPRETATION by corrupt justices and the Executive branch, along with compliance by people passing through the borders that have encouraged the government to continue to claim it's legality.

I will tell you why. We us most of the birthday or the car number, something very common and have failed to find a new way of protecting ourselves.In fact that is why the ATM has failed. We have cobwebs in the heads and cannot think right all the times. Too much IT is pouring in. The only program I have seen in BBC, CLICK that gives you enough information, but that is BBC's opinion. You may have to think up of digits and alphabets to get a good one. But then many links want the alphas only. Oh how I hate the catch up that literally spoils your eyes. .I hope you get the message. IF WE TRY some one like the student who hacked the Facebook. I thank you Firozali A.Mulla DBA

I just wanted to remind you that knowingly giving a false statement to a lawenforment office is a crime in most states if not all, also you set yourself up for being charged with hindering A investigation of a lawenforment officer which can be a felony.
Though they do have to prove you knowingly gave a false reply IE lied, but when they cant get to your files there going to know something isnt right unless you can show you have a history of memory loss due to neurological/physical issues.

that simply encrypting your data entitles you to complete privacy from the Law. It protects your data but if the Law believe you have committed a crime and the evidence is on your PC/laptop then surely all it takes is a court order and you have to give them access. If the Law want to search your home or your place of work, they need permission, either from you if you're foolish enough to give it, or from the courts if they have sufficient reason to convince a judge. I don't see why an encrypted computer should be any different.

[quote]A lot of people don???t realize that the Fourth Amendment does not require border agents to have a reasonable suspicion before searching[/quote]
is only because we have allowed the law to assume that such a search is reasonable. And our rights and privacy will continue to erode unless we as a society refuse to accept the ridiculous as reasonable.

[i]But the judge side-stepped the issue... the judge forced the woman to turn over an unencrypted version of the files[/i]
This did not side-step the issue at all. A subpoena means you have to turn over the documents. There has never been an exemption for well-hidden documents. Refusing to turn over paper is no different from refusing to turn over a file.

Give them a password! If it doesn't work, give them another. If that doesn't work then I suppose you just can't recall what it is. While legally one can be harried over refusing to give them a password based on where you are/who is asking, it's quite harder to go after someone who is cooperating but can't recall what their password is under duress...

You should read your agreements. Every major cloud storage vendor tells you when you sign up, that they are presented with a request from a court, they will turn over your data.... with or without your knowledge.
The question is: would a hypothetical border guard try to access your cloud accounts from your mostly empty laptop?

They only apply to the USA. The rest of the world have their own laws, some worse, but some have much better laws than America, in this particular case.
[i]'Corruptissima re publica plurimae leges. Tacitus'[/i]

That is absolutely true, unfortunately the border patrol have the right to deny you access to the country. So, while you may have the right to refuse a search; that may mean you forfeit your goal of entering the country.

Lying to law enforcement is illegal, but should be protected under freedom of speech, but they stomped all over that contitutional right. And yet it's not illegal for law enforcement to lie to you, in fact, they often use lies mixed with truths to trick you into giving up information or admitting guilt, which by it's definition should be illegal as well. And then law enforcement wonders why a lot of folks won't talk to them even if they are a witness. In my travels around the world I have seen all kinds of things like this happening, especially here in the U.S. And it don't matter if you have nothing to hide or not, they may see something that perhaps looks suspicious or they can interpret something to be precursory to an illegal act. This is what the fourth ammendment was supposed to protect us all from, and yet once again they have used the constitution to wipe their collective asses on. It's sad that you can't even trust our law enforcement now days....

Who ever mis-typed my password three times... or however many times it takes to lock me out of my own PC or email account or bank account; all without the motivation to hinder an investigation.
That being said, I'm also not a big enough idiot to think that the NSA, who regularly decrypts the most secure encryption and steganographic codes available to foreign (non-US) governments can't crack whatever commercial encryption I use on a USB or laptop storage. It's simply a matter of how time consuming or expensive it will be to the courts to have them do so.
Last I checked, expense and convenience weren't reasons to violate Constitutionally guaranteed rights. If the US Courts want to think of data as a "safe - a physical device which can be broken into", I say let them use their own highly capable and taxpayer funded locksmiths. With a court order and writ of habeus corpus.

Puts the onus on the legal establishment. Charging and proving are not even close in cases such as this. The only way anyone could be sure a defendant is lying is if the defendant was sucessful in decrypting said media. And even then was it a lie if you couldn't recall the password at one point in time, but now you do?
Of course one should cooperate with law enforcement to the extent of the law. But what do you do when they step over a line involving constitutional rights? One should not go quietly down that path...

It's information from the defendant that would incriminate them because law enforcement doesn't know what to do with said physical evidence in hand.
I completely agree with you concerning legal writs specific to crime and evidence. I do not agree that giving out passwords falls under gathering of evidence. That violates the fifth amendment clause, to wit "no person . . . shall be compelled in any criminal case to be a witness against himself."
If law enforcement can't decrypt the hard drive that is their problem, not the defendants.

People please read the Constitution
The Fourth Amendment is EXACTLY what is supposed to protect you here
Article IV.
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
I guess it is based on the word "REASONABLE"
Well it is not reasonable to me, because I cross some imaginary line, that another person has the right to go through my personal belongings.
"unless we as a society refuse to accept the ridiculous as reasonable."
Excellent point!

You are so right. Various tactics employed by our political leaders (such as the escalation of the "War on Drugs" and the "War on Terrorism") have eroded our Fourth Amendments rights over the past decades. Too many citizens resort to the bromide that "if you've done nothing wrong, you have nothing to hide," and consider their submission to government snooping an act of patriotism. They never consider the obvious: That a free society requires limitations upon government force. If there are no limitations to government force, and no limitations to what government officials can do to citizens, then there is no freedom either. The citizens have given it all away.

If I ask you to tell on yourself that is self-incrimination. Asking you to divulge information only you know (from the inner recesses of your mind) qualifies.
As you point out demanding physical evidence is definitely not self-incrimination. In this case the evidence in question isn't hidden its just not comprehensible to those who possess it. To make it readable would require information from the defendant, which brings into play self-incrimination. The judge bypassed the self-incrimination issue by asking for unencrypted documents.
This attempt at bypassing self-incrimination is rather silly because all the defendant has to say is what they have given law enforcement is the sole document in existence. The judge could also ask the defendant to produce a pink elephant, but if they don't have one you can hardly hold them in contempt for obstructing justice.

but if your front door was locked and the Law asked you to open but you didn't want to in case they found something naughty, saying no or you've lost your key isn't going to stop them. They would just bash your door in. If the Law has the time and access surely they can just use a brute force attack to "open" your encrypted data. To my mind we're not talking about authorities wanting to snoop but Law enforcement with a legitimate case for searching your property.

and that's not my intention. If the Law doesn't have a valid reason to search your property then they shouldn't get access.
I just don't follow the whole password = self incrimination argument.
Maybe someone can answer this question. To my mind digital storage is somewhere to store information so it equates to a safe or locked drawer. You lock it to keep things safe from those you don't want to have access. If the Law demand access to your safe are you obliged to tell them the combination? If they demand you open the locked drawer to the desk in your office, do you have to?
Obviously they can use brute force should you choose not to cooperate just as they can with encryption.

Warrant to search your house? They can open the door with a battering ram.
Warrant to search your safe? They can open the safe with power tools.
Warrant to search your digital media? They can read the 1s and 0s. They can actually read the files if they can open them. Ball is in their court.
Just for the record, this woman is PROBABLY scum, but violating the 4th or 5th amendments isn't the way to solve this. This isn't 1970s USSR, or modern day Iran. It is the USA and we are supposed to be the fair, civilized, and law abiding country. If that is the only evidence they have, they should have waited for her to incriminate herself some other way before arresting and prosecuting. The prosecutor's office needs to invest in some serious computer power and try to decrypt the drive.

Law enforcement has the laptop as evidence. I think they should bash away. Just don't ask the defendant to divulge something that only they know and may have ramifications beyond the issue at hand.
Giving a password isn't like a safe combination or physically opening a door. That password could be used to unlock other systems not relevant to the case. Or it might in and of itself be incriminating or damaging to the defendant unlike a key/combo which is single purpose. E.G. passwords like ???killer??? or ???slayu??? might prejudice an investigation. Thus a password through content, usage and origin falls under self-incrimination.
But as I said earlier, if you can't recall what the password is then the issue is moot. Who amongst us hasn't forgotten their password...